d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28

Reason

Machine shutdown

General

Target

67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe
Size

39KB
MD5

67b78d68337844c4ce0c585851b633e2
SHA1

e356526d53a8f1bef9587544c46af4035d31d7f8
SHA256

d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28
SHA512

0b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be
SSDEEP

384:bZk4nwCxOnBpWP0Gre5dHMvjNk4UIgeOdCAH2N7gt/V5bd2ChRl9mmu1ZPeic:bZhwCepW1re5arXAHr/Lbd2Pmbi

Score

8^/10

evasion

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.exe

Deletes itself 1 IoCs

pid	Process
4556	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3188	3BCD31EF45A5190D7396.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000009bb5e1a71ba8e530000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000009bb5e1a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090009bb5e1a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d09bb5e1a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000009bb5e1a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	4556	svchost.exe
Token: SeBackupPrivilege	3444	vssvc.exe
Token: SeRestorePrivilege	3444	vssvc.exe
Token: SeAuditPrivilege	3444	vssvc.exe
Token: SeShutdownPrivilege	852	shutdown.exe
Token: SeRemoteShutdownPrivilege	852	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1012	LogonUI.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 4556	3984	67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe	87
PID 3984 wrote to memory of 4556	3984	67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe	87
PID 3984 wrote to memory of 4556	3984	67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe	87
PID 3984 wrote to memory of 4556	3984	67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe	87
PID 4556 wrote to memory of 4856	4556	svchost.exe	88
PID 4556 wrote to memory of 4856	4556	svchost.exe	88
PID 4556 wrote to memory of 4856	4556	svchost.exe	88
PID 4556 wrote to memory of 852	4556	svchost.exe	102
PID 4556 wrote to memory of 852	4556	svchost.exe	102
PID 4556 wrote to memory of 852	4556	svchost.exe	102
PID 4556 wrote to memory of 3188	4556	svchost.exe	103
PID 4556 wrote to memory of 3188	4556	svchost.exe	103
PID 4556 wrote to memory of 3188	4556	svchost.exe	103
PID 3188 wrote to memory of 5068	3188	3BCD31EF45A5190D7396.exe	105
PID 3188 wrote to memory of 5068	3188	3BCD31EF45A5190D7396.exe	105
PID 3188 wrote to memory of 5068	3188	3BCD31EF45A5190D7396.exe	105
PID 3188 wrote to memory of 5068	3188	3BCD31EF45A5190D7396.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Disables RegEdit via registry modification
  - Deletes itself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown.exe -r -f -t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Users\Admin\AppData\Local\Temp\3BCD31EF45A5190D7396.exe
    C:\Users\Admin\AppData\Local\Temp\3BCD31EF45A5190D7396.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:5068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3140

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395e055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3BCD31EF45A5190D7396.exe

Filesize
39KB

MD5
67b78d68337844c4ce0c585851b633e2

SHA1
e356526d53a8f1bef9587544c46af4035d31d7f8

SHA256
d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28

SHA512
0b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be

Download Submit
memory/3188-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3188-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3984-0-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/3984-3-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3984-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4556-1-0x000000007F300000-0x000000007F30E000-memory.dmp

Filesize
56KB

Download
memory/4556-10-0x000000007F300000-0x000000007F30E000-memory.dmp

Filesize
56KB

Download
memory/5068-9-0x000000007F710000-0x000000007F71E000-memory.dmp

Filesize
56KB

Download
memory/5068-13-0x000000007F710000-0x000000007F71E000-memory.dmp

Filesize
56KB

Download
memory/5068-15-0x000000007F710000-0x000000007F71E000-memory.dmp

Filesize
56KB

Download
memory/5068-17-0x000000007F710000-0x000000007F71E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

Errors